← Back to GoMigrant.AI
PRIVACY AT A GLANCE
A plain-language summary — please read the full policy below.
WHAT WE COLLECT
We collect the profile information you provide (age, nationality, education, work experience, immigration preferences), your account credentials, AI interaction data, and standard technical diagnostics. We do not collect advertising identifiers without your explicit consent.
WHAT WE DO WITH IT
We use your information solely to provide immigration informational Services, generate AI-assisted assessments, manage your account, ensure security, and improve platform reliability.
WHAT WE DO NOT DO
• We do NOT sell your personal information
• We do NOT use your immigration data for behavioral advertising
• We do NOT use your uploaded documents to train public AI models
• We do NOT make legally binding immigration determinations
YOUR CONTROLS
You can access, correct, delete, or export your data at any time. Contact dpo@gomigrant.ai or use in-app account settings.
DATA RETENTION
Active accounts: data retained while account is active plus 30 days after deletion. Billing records: 7 years. AI interaction logs: 90 days. See the full Retention Table in Section 14.
CONTACT
Data Protection Officer: dpo@gomigrant.ai
General Support: support@gomigrant.ai
1. WHO WE ARE
Data Controller:
EASE GLOBAL CONSULTANCY SERVICE INC.
Toronto, Ontario, Canada
support@gomigrant.ai
Data Protection Contact:
dpo@gomigrant.ai
Company / Privacy / Support Contact:
Authorized Company Representative: DIRENC SARIBAS
Role: Owner / Authorized Company Representative
Email: support@gomigrant.ai
Jurisdiction: Canada
Note: DIRENC SARIBAS is the authorized company contact for privacy inquiries, support requests, account deletion, and general company correspondence. This person is NOT an EU GDPR Article 27 Representative, UK GDPR Representative, Data Protection Officer, lawyer, immigration consultant, or legal counsel.
EU Representative (Article 27 GDPR):
NOT APPOINTED — Initial launch scope does not actively target EU/EEA users or markets.
GoMigrant.AI's initial commercial launch excludes EU/EEA store targeting, marketing, and user acquisition.
EU Article 27 representative applicability will be assessed by qualified legal counsel before any EU-targeted launch.
EU representative will be appointed in writing if required before EU-targeted launch.
EU/EEA users who voluntarily access the platform may contact dpo@gomigrant.ai.
EU/EEA users may also contact their national Data Protection Authority directly.
UK GDPR Representative:
NOT APPOINTED — Initial launch scope does not actively target UK users or markets.
UK representative applicability will be assessed by qualified legal counsel before any UK-targeted launch.
UK representative will be appointed in writing if required before UK-targeted launch.
UK users who voluntarily access the platform may contact dpo@gomigrant.ai.
UK users may also contact the ICO directly at ico.org.uk | 0303 123 1113.
GoMigrant AI is an independent AI-powered informational platform that helps users explore immigration pathways, eligibility criteria, scoring systems, and country-specific immigration information. We are NOT affiliated with any government authority, immigration agency, embassy, or regulatory body.
2. PRIVACY PHILOSOPHY
Privacy is a foundational design principle at GoMigrant AI — not a compliance checkbox.
2.1 Data Minimization
We collect only information reasonably necessary to operate and improve the Services. We intentionally avoid collecting unnecessary personal information.
2.2 Purpose Limitation
Information collected for one purpose is not repurposed for unrelated activities without separate disclosure and, where required, fresh consent.
2.3 User Control
You should understand what information is collected, why, how it is used, how long it is retained, and what controls you have. We strive for genuine transparency, not obscure legal complexity.
2.4 Responsible AI Governance
AI systems require governance, oversight, and continuous improvement. We treat AI outputs as assistive, non-deterministic, and subject to human review — not as autonomous decision-makers with binding authority.
2.5 Security-by-Design
Security controls are integrated into infrastructure, authentication, storage, development workflows, and operational procedures from the earliest stages of system design.
2.6 Official-Source Integrity
We prioritize publicly available official government immigration information wherever possible. Immigration systems evolve continuously, and users must independently verify all information through official sources before acting.
3. AI & IMMIGRATION DISCLOSURES
GoMigrant AI provides informational and educational technology services only.
THE SERVICES DO NOT:
• Provide legal advice, legal opinions, or legal representation
• Provide regulated immigration consulting or RCIC services
• Replace licensed immigration professionals
• Replace official governmental instructions or requirements
• Guarantee any immigration outcome
• Create solicitor-client, attorney-client, or RCIC-client relationships
AI-GENERATED CONTENT MAY:
• Contain inaccuracies, hallucinations, or outdated information
• Omit important context or jurisdiction-specific nuances
• Oversimplify complex legal frameworks
• Fail to reflect recent policy changes without notice
Immigration decisions are made exclusively by governmental authorities exercising independent discretionary judgment. Users remain solely responsible for independently verifying all immigration information before taking action.
All AI-Generated Content is labeled within the platform interface to clearly indicate its AI-generated nature, as required by applicable transparency obligations.
4. HIGH-RISK DATA ACKNOWLEDGMENT
Immigration-related information is deeply personal and may constitute or reveal special category data under applicable privacy law.
The Company acknowledges that User immigration profiles may contain or reveal:
• Racial or ethnic origin (GDPR Article 9)
• Religious or philosophical beliefs (GDPR Article 9)
• Political opinions (GDPR Article 9)
• Refugee or asylum status
• Sexual orientation (particularly in LGBTQ+ asylum contexts) (GDPR Article 9)
• Health conditions relevant to medical inadmissibility (GDPR Article 9)
• Biometric identifiers where applicable (GDPR Article 9)
• Criminal history or inadmissibility records (GDPR Article 10)
• Children's information in family immigration profiles
• Nationality-sensitive and statelessness information
• Financial information related to immigration sponsorship and investment programs
HEIGHTENED SAFEGUARDS APPLY to all of the above categories, including: explicit consent as the legal basis (where applicable), restricted internal access, encrypted storage, limited retention, and enhanced deletion workflows.
Where Users provide information in these categories, they do so voluntarily and with awareness that such information is processed only for immigration informational purposes with heightened data protection controls.
5. INFORMATION WE COLLECT
5.1 Immigration & Profile Information
You may voluntarily provide: age or date of birth, citizenship and nationality, country of current residence, education level and history, work experience and occupation, language proficiency test results, marital status, family composition, immigration preferences and destination countries, financial information relevant to immigration programs, and notes relating to your immigration journey.
5.2 Account Information
We collect: email address, encrypted authentication credentials (passwords hashed using bcrypt — never stored in plaintext), account identifiers, Sign In with Apple subject identifiers, and Sign In with Google account identifiers.
5.3 AI Interaction Data
When you use AI-powered features, we process: your prompts and questions, profile-based contextual information used to generate responses, AI-generated outputs, feedback and correction signals, and system reliability metadata. This data is used solely to operate the Services, maintain quality, prevent abuse, and improve reliability. YOUR PERSONAL IMMIGRATION PROFILE DATA IS NOT USED TO TRAIN PUBLICLY ACCESSIBLE OR FOUNDATION AI MODELS. See Section 11 for the full AI Training Disclosure.
5.4 Consent Logging
At registration, we log: timestamp (UTC), IP address, app version, device identifier hash (where available), Terms of Service version accepted, Privacy Policy version accepted, and user account identifier. This constitutes the lawful basis record for your consent to our Terms.
5.5 Device & Technical Information
We may collect: device type and operating system, app version, language settings, crash reports and diagnostics, anonymized usage analytics, session metadata, and fraud-prevention signals. We do not collect advertising identifiers (IDFA / GAID) without explicit consent through a separate mechanism.
5.6 Payment Information
Payments are processed by authorized third-party processors: Apple App Store (iOS), Google Play (Android), or Stripe (web). We do not store full payment card numbers on Company-controlled systems. We receive limited billing metadata including: subscription status, renewal dates, billing region, and plan tier.
5.7 Uploaded Documents
If you upload documents (passports, IDs, certificates, financial records, CVs), these are processed with heightened security controls. See Section 16 (Security Architecture) and the Terms of Service (Section 10) for full document handling provisions.
6. HOW WE USE INFORMATION
We use personal information only for legitimate, disclosed purposes:
SERVICE DELIVERY
• Generating AI-assisted immigration assessments and pathway information
• Calculating eligibility estimates and visa score approximations
• Personalizing informational content based on your profile
• Managing your account and subscription
• Processing payments and maintaining billing records
PLATFORM INTEGRITY
• Detecting and preventing fraud, abuse, and security threats
• Monitoring platform reliability and performance
• Investigating violations of our Terms of Service
LEGAL COMPLIANCE
• Meeting obligations under applicable laws and regulations
• Responding to lawful governmental requests
• Maintaining records required by tax and corporate law
SERVICE IMPROVEMENT
• Improving AI system accuracy and reliability using aggregated, anonymized data
• Conducting internal research on immigration information quality
COMMUNICATION
• Sending service notifications, subscription updates, and security alerts
• Responding to support requests
WE DO NOT:
• Sell personal information to any third party
• Use immigration profile data for cross-platform behavioral advertising
• Create advertising behavior profiles based on sensitive immigration information
• Share personal data with third parties for their own independent marketing
• Use your uploaded immigration documents to train public AI models
7. GDPR ARTICLE 6 — LEGAL BASIS TABLE
For users in the EU/EEA/UK, the following legal bases apply to our processing activities:
CONTRACT PERFORMANCE (Art. 6(1)(b))
• Account creation and management
• Delivering AI-assisted immigration assessments
• Processing subscription payments
• Providing customer support
CONSENT (Art. 6(1)(a))
• Processing sensitive / special category immigration data you voluntarily provide
• Marketing communications (separate opt-in required)
• AI model training opt-in (separate, granular opt-in only — default is OFF)
• Use of non-essential cookies or analytics beyond operational necessity
LEGAL OBLIGATION (Art. 6(1)(c))
• Tax, accounting, and corporate record-keeping (7-year retention)
• Data breach notifications to supervisory authorities
• Responding to lawful court orders or regulatory requests
LEGITIMATE INTERESTS (Art. 6(1)(f))
• Fraud prevention and platform security monitoring
• Ensuring platform reliability and infrastructure stability
• Internal product improvement using aggregated, anonymized data
• Enforcing our Terms of Service against violations
Legitimate Interest Assessments (LIAs) have been conducted for processing under Art. 6(1)(f) and are available to supervisory authorities upon reasonable request.
SPECIAL CATEGORY DATA (Art. 9)
For special category immigration data (racial/ethnic origin, health, religion, sexual orientation, etc.):
• Primary basis: Art. 9(2)(a) — Explicit consent provided at data entry
• Where applicable: Art. 9(2)(e) — Data manifestly made public by the data subject
All special category processing is recorded in our Records of Processing Activities (RoPA) maintained under Art. 30 GDPR.
8. AI GOVERNANCE FRAMEWORK
8.1 Human Oversight
AI Systems are assistive technologies and are not treated as autonomous legal decision-makers. Human review, operational monitoring, escalation procedures, and quality testing are applied to evaluate AI system performance, hallucination patterns, reliability, and safety.
8.2 No Fully Automated Legally Significant Decisions
GoMigrant AI does NOT make fully automated decisions that produce legal or similarly significant effects on immigration status, visa eligibility, citizenship, or governmental outcomes. All platform outputs are informational estimates only, subject to your independent review and judgment. Users retain the right to human review of any AI-generated assessment through our support team.
8.3 Right to Contest Automated Processing
You have the right to: obtain meaningful information about the logic of automated processing; express your point of view regarding AI-generated assessments; contest outputs you believe are incorrect; and request correction or re-assessment. To exercise these rights, contact dpo@gomigrant.ai.
8.4 Factors Considered in AI Assessments
AI-generated immigration assessments consider factors such as: age, education level, work experience duration and occupation, language proficiency scores, financial resources, marital status, family composition, intended destination country, and applicable immigration program criteria. These factors are processed statistically to generate informational estimates. Weighting and methodology evolve as immigration policies change; no trade-secret-level disclosure of proprietary algorithms is required or provided.
8.5 Significance and Consequences
AI-generated scores and pathway recommendations are informational indicators only. Reliance on these outputs for actual immigration decisions carries risk, as outputs may be inaccurate, outdated, or inapplicable to your specific circumstances. The platform displays uncertainty disclosures alongside probabilistic outputs.
8.6 Correction Rights
If you believe an AI-generated assessment is inaccurate, you may update your profile data, request re-assessment, or flag the output through the in-app reporting mechanism. You may also submit a correction request to dpo@gomigrant.ai.
8.7 EU AI Act Awareness
The Company acknowledges the potential applicability of the EU Artificial Intelligence Act (Regulation 2024/1689) to immigration-related AI systems, including Annex III high-risk AI system classifications. Our internal AI governance principles are designed to support transparency, human oversight, accuracy, and accountability obligations.
8.8 Source Traceability
Where AI-generated outputs reference specific immigration programs, processing times, or eligibility criteria, the platform makes reasonable efforts to link to official government source materials for independent verification.
8.9 Sensitive Context Escalation
For sensitive scenarios involving asylum, detention, deportation, statelessness, trafficking, or urgent humanitarian circumstances, the platform provides references to UNHCR resources and local emergency legal aid contacts. Human escalation pathways are available through support@gomigrant.ai.
9. AI PROVIDERS DISCLOSURE
The Services use third-party Large Language Model (LLM) infrastructure providers to power AI-assisted features. Current providers include:
• OpenAI (OpenAI, LLC / Microsoft Azure OpenAI) — GPT-series models
• Anthropic (Anthropic, PBC) — Claude-series models
• Additional LLM providers may be used as the platform evolves
AI provider processing is governed by:
• Data Processing Agreements (DPAs) with each provider
• Prohibition on use of your data to train provider's own foundation models
• Security and confidentiality obligations
• Compliance with applicable privacy law transfer requirements
AI provider identities may change as the platform evolves. Material changes to AI providers that affect data processing will be disclosed in advance in accordance with our subprocessor notification procedures.
Users in the EU/EEA: AI provider processing in the United States is protected by Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914, supplemented by Transfer Impact Assessments (TIAs) under Schrems II requirements.
10. AI TRAINING DISCLOSURE
DEFAULT POSITION — NO PUBLIC MODEL TRAINING:
YOUR PERSONAL IMMIGRATION PROFILE DATA, AI INTERACTION HISTORY, AND UPLOADED DOCUMENTS ARE NOT USED TO TRAIN PUBLICLY ACCESSIBLE FOUNDATION AI MODELS OR TO FINE-TUNE MODELS FOR DISTRIBUTION TO THIRD PARTIES.
Aggregated, fully anonymized, de-identified statistical data may be used for internal product improvement and platform reliability research, provided no individual can be re-identified.
OPTIONAL OPT-IN MECHANISM:
If a future opt-in mechanism for AI training participation is introduced, it will:
• Require a separate, explicit, granular opt-in consent action (never bundled with Terms acceptance)
• Allow opt-in by specific data category (interaction data, anonymized pathway data, etc.)
• Display opt-in status in your account settings at all times
• Allow withdrawal of consent at any time; withdrawal stops future inclusion but cannot reverse previously completed model training processes
• Be described in full at the point of opt-in
CURRENT STATUS: No such opt-in mechanism is currently active. No training opt-in consent is collected or used.
11. AUTOMATED DECISION-MAKING — YOUR RIGHTS
GDPR Articles 13(2)(f), 14(2)(g), and 22 require us to provide meaningful information about automated processing and to protect you from solely automated decisions with significant legal effects.
WHAT FACTORS ARE CONSIDERED
Our AI systems process profile factors including: age, education level and credentials, work experience (years, occupation type, NOC/SOC code relevance), language test scores (IELTS, CELPIP, TEF, etc.), financial assets, marital and family status, destination country preference, and applicable program-specific criteria.
HOW OUTPUTS ARE GENERATED
These factors are analyzed statistically against immigration program eligibility criteria derived from official government sources. Outputs are generated as probabilistic estimates, not legal determinations. No output constitutes a guarantee or deterministic finding.
POSSIBLE CONSEQUENCES
AI-generated scores and pathway recommendations may influence your immigration planning decisions. However, because outputs are informational only and not legally binding, actual immigration outcomes depend entirely on governmental authority decisions.
YOUR RIGHTS REGARDING AUTOMATED PROCESSING
• Right to be informed: You are reading this disclosure now.
• Right to human review: Request that a human member of our team review an AI assessment at dpo@gomigrant.ai.
• Right to contest: Challenge any AI output you believe is incorrect by contacting dpo@gomigrant.ai.
• Right to express your view: Provide additional context about your circumstances that the AI may not have fully captured.
• GDPR Article 22 protection: We do not make fully automated decisions with legal or similarly significant effects on your immigration status without human oversight.
12. DATA GOVERNANCE & ACCESS CONTROLS
Access to personal information is strictly controlled based on operational necessity.
TECHNICAL CONTROLS
• Role-based access control (RBAC) limiting data access by job function
• Least-privilege access principles applied to all internal systems
• Multi-factor authentication (MFA) required for systems containing personal data
• Comprehensive audit logging of access to sensitive data systems
• Infrastructure segmentation isolating high-sensitivity data environments
• Credential rotation procedures and access revocation upon personnel changes
OPERATIONAL CONTROLS
• Personnel with data access operate under confidentiality obligations
• Vendor and contractor access is governed by data processing agreements
• Periodic access reviews to remove unnecessary permissions
• Security awareness training for personnel handling personal data
IMMIGRATION DOCUMENT HANDLING
Uploaded immigration documents are stored with: end-to-end encryption for upload transmission, AES-256 encryption at rest, restricted access limited to the service delivery function only, session-level access expiration, and separation from lower-sensitivity operational data stores.
13. DATA RETENTION TABLE
Concrete retention periods for each data category:
ACTIVE ACCOUNT DATA
Retained while your account is active. Upon verified account deletion: deleted or anonymized within 30 days, subject to legal hold requirements.
IMMIGRATION PROFILE DATA
Retained for the duration of your active account. Deleted within 30 days of verified account deletion request.
INACTIVE ACCOUNT DATA
Accounts with no activity for 24 consecutive months: profile data is anonymized or deleted. Users receive advance notice before anonymization.
SUBSCRIPTION & BILLING RECORDS
Retained for 7 years from transaction date to comply with Canadian Income Tax Act, GST/HST requirements, and equivalent international tax obligations.
SUPPORT COMMUNICATIONS
Retained for 36 months from last interaction to support dispute resolution and quality assurance.
SECURITY & AUDIT LOGS
Retained for 12 months for security monitoring and incident response purposes.
AI INTERACTION LOGS
Retained for 90 days for system quality, abuse prevention, and reliability monitoring. After 90 days, interaction logs are deleted or irreversibly anonymized.
MARKETING CONSENT RECORDS
Retained until consent is withdrawn, plus 30 days after withdrawal to process opt-out requests.
UPLOADED DOCUMENTS
Retained until you initiate deletion through account settings, or until account closure. Deleted within 30 days of verified deletion request. Backup copies deleted within applicable backup cycle.
CONSENT LOGS (Registration Acceptance)
Retained for the duration of the account plus 7 years for legal compliance and dispute resolution purposes.
DATA BREACH NOTIFICATION RECORDS
Retained for 5 years in accordance with regulatory accountability requirements.
NOTE: We do not use vague retention language such as "as long as necessary" without a paired concrete period. All retention periods are designed to satisfy applicable legal minimum and maximum retention obligations.
14. ACCOUNT DELETION & YOUR CONTROL
You have the right to delete your account and associated personal data at any time.
HOW TO DELETE YOUR ACCOUNT
• In-app: Navigate to Settings > Account > Delete Account
• Email: Submit a request to support@gomigrant.ai from your registered email address
• Identity verification may be required before processing deletion requests
WHAT HAPPENS AFTER DELETION
• Active profile information is deleted or irreversibly anonymized within 30 days
• Access credentials are revoked immediately
• AI interaction logs are deleted within 90 days (standard retention cycle)
• Certain records are retained where legally required (billing records: 7 years; consent logs: 7 years; security logs: 12 months; as set out in the Retention Table above)
APPLE IN-APP DELETION (Apple 5.1.1(v))
In compliance with Apple App Store requirements, in-app account deletion is available directly within the application without requiring Users to contact support or access a website.
PARTIAL DATA DELETION
You may request deletion of specific uploaded documents without deleting your entire account. Submit requests to support@gomigrant.ai or use the document management features within the app.
15. SECURITY ARCHITECTURE
We implement commercially reasonable technical and organizational safeguards designed to protect personal information.
ENCRYPTION
• Data in transit: TLS 1.2 or higher (TLS 1.3 preferred) for all connections
• Data at rest: AES-256 encryption for stored personal data and uploaded documents
• Authentication credentials: bcrypt hashing with salt (never stored in plaintext)
ACCESS SECURITY
• Role-based access control (RBAC)
• Multi-factor authentication required for administrative systems
• Least-privilege access principles
• Audit logging of access to systems containing personal data
INFRASTRUCTURE SECURITY
• Cloud infrastructure on AWS and GCP with SOC 2-certified providers
• Network segmentation and firewall controls
• Automated vulnerability scanning and patch management
• Intrusion detection monitoring
INCIDENT RESPONSE
• A documented incident response procedure is maintained
• Security incidents affecting personal data are investigated promptly
• Regulatory notification obligations are fulfilled within required timeframes
IMPORTANT LIMITATION
We do not claim to be "100% secure," "fully secure," or guarantee absolute prevention of unauthorized access. No internet-connected system can provide this guarantee. Users acknowledge inherent cybersecurity risks associated with internet-based services.
16. INTERNATIONAL DATA TRANSFERS
Your information may be transferred to and processed in countries outside your jurisdiction, including Canada, the United States, and other jurisdictions where our service providers operate.
TRANSFER MECHANISMS FOR EU/EEA USERS
Transfers from the EU/EEA to third countries are protected by:
• Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 (Controller-to-Processor or Controller-to-Controller, as applicable)
• Transfer Impact Assessments (TIAs) conducted in accordance with Schrems II (Case C-311/18) requirements
• Supplementary measures where required by TIA findings
TRANSFER MECHANISMS FOR UK USERS
• UK International Data Transfer Agreement (UK IDTA) or UK Addendum to EU SCCs
• Adequacy decisions where applicable
CANADIAN TRANSFERS
Canada is recognized by the EU as providing adequate protection (Commission Decision 2002/2/EC for PIPEDA-covered organizations). Transfers from Canada to the US and other countries are governed by contractual safeguards and PIPEDA accountability principles.
GOVERNMENT ACCESS RISK
Foreign governments, courts, regulators, or law enforcement agencies may access data stored in their jurisdiction under applicable laws. We will notify affected individuals of such requests where legally permitted to do so.
17. THIRD-PARTY PROVIDERS & SUBPROCESSORS
We use carefully selected third-party service providers (subprocessors) to support platform operation.
CATEGORIES OF SUBPROCESSORS
• Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform (GCP)
• AI / LLM Providers: OpenAI, Anthropic (and potentially others)
• Authentication: Supabase / Firebase (or equivalent)
• Payment Processing: Apple App Store, Google Play, Stripe
• Analytics: Anonymized crash reporting and usage analytics providers
• Email / Communications: Transactional email infrastructure providers
• Customer Support: Support ticketing system providers
SUBPROCESSOR GOVERNANCE
All subprocessors are required to:
• Enter into Data Processing Agreements (DPAs) with us
• Maintain confidentiality of personal data
• Implement appropriate technical and organizational security measures
• Process data only for specified, documented purposes
• Support the exercise of data subject rights
SUBPROCESSOR UPDATES
A live subprocessor list is maintained at /subprocessors on our website with: provider name, purpose, data categories processed, country of processing, and transfer mechanism. We provide at least 30 days advance notice of the addition of material new subprocessors. Enterprise customers may object to new subprocessors during this window through their account manager.
YOUR DATA IS NOT SOLD TO SUBPROCESSORS. Subprocessors are authorized to process your data only for the specific purposes of delivering the Services.
18. COOKIES & ANALYTICS
MOBILE APPLICATION
The mobile application does not use third-party advertising cookies. Essential session tokens and secure local storage are used for authentication, user preferences, and fraud prevention only.
WEB APPLICATION
The web application may use:
• Essential cookies: Authentication session management, security tokens, CSRF protection (always active; no consent required)
• Analytics cookies: Anonymized usage analytics for platform improvement (consent required in EU/EEA/UK)
• No advertising cookies or cross-site tracking cookies are used
DEVICE IDENTIFIERS
Device identifiers may be collected for: fraud prevention, crash reporting, and session management. Advertising identifiers (IDFA on iOS, GAID on Android) are NOT collected without your explicit consent through Apple's App Tracking Transparency (ATT) framework or equivalent Android mechanism.
GLOBAL PRIVACY CONTROL (GPC)
We honor the GPC browser signal as a valid opt-out of data sharing under CCPA/CPRA for California users accessing our web application.
DO NOT TRACK (DNT)
We acknowledge the DNT browser signal. Where technically feasible, we apply DNT preferences consistently with applicable privacy law.
19. CHILDREN'S PRIVACY
The Services are NOT directed to children under 13 years of age (under 16 in the EU, UK, and EEA).
COPPA (UNITED STATES)
We do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). If we learn that a child under 13 has provided personal information, we will delete that information promptly and terminate the associated account.
GDPR-K (EU/EEA/UK — ARTICLE 8 GDPR)
In the EU, EEA, and UK, users under 16 require verifiable parental or guardian consent to use the Services. We do not knowingly collect personal data from users under 16 without this consent.
QUEBEC (LAW 25)
For users in Quebec, data relating to minors is handled in compliance with the Act Respecting the Protection of Personal Information in the Private Sector (Law 25), which includes strengthened minor data protections.
PARENTAL RIGHTS
Parents or guardians who believe their child has provided personal information without consent should contact support@gomigrant.ai. We will promptly investigate and take appropriate action, including deletion of the child's information.
FAMILY IMMIGRATION PROFILES
Where adult users include minor dependents in their immigration profiles, the adult user accepts responsibility for having parental or guardian authority to input that information and for the accuracy of data submitted on behalf of minor dependents. Information about minor dependents is processed with the same heightened safeguards as special category data.
20. YOUR RIGHTS — GDPR (EU/EEA)
If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation (GDPR):
RIGHT OF ACCESS (Art. 15)
Request a copy of the personal data we hold about you and information about how we use it.
RIGHT TO RECTIFICATION (Art. 16)
Request correction of inaccurate or incomplete personal data.
RIGHT TO ERASURE / "RIGHT TO BE FORGOTTEN" (Art. 17)
Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, you withdraw consent (where consent is the legal basis), or other conditions under Art. 17 apply.
RIGHT TO RESTRICTION OF PROCESSING (Art. 18)
Request that we limit processing of your data in certain circumstances.
RIGHT TO DATA PORTABILITY (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
RIGHT TO OBJECT (Art. 21)
Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
RIGHT TO WITHDRAW CONSENT (Art. 7(3))
Where processing is based on your consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
RIGHT TO LODGE A COMPLAINT
You have the right to lodge a complaint with your national Data Protection Authority (DPA). To find your national DPA: edpb.europa.eu/about-edpb/board/members_en
HOW TO EXERCISE YOUR RIGHTS
Submit requests to: dpo@gomigrant.ai
Response timeframe: Within one (1) month of receipt (extendable by two months for complex requests, with notification).
Identity verification: We may request identity verification before fulfilling requests.
21. YOUR RIGHTS — UK GDPR
If you are located in the United Kingdom, you have equivalent rights under the UK GDPR (retained EU law) and the Data Protection Act 2018, including all rights listed in Section 20 above.
UK Supervisory Authority:
Information Commissioner's Office (ICO)
ico.org.uk | 0303 123 1113
You have the right to complain to the ICO if you believe your data has been processed unlawfully. We encourage you to contact us first at dpo@gomigrant.ai so we can attempt to resolve your concern.
22. YOUR RIGHTS — CALIFORNIA (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
RIGHT TO KNOW (§ 1798.100)
Right to know what personal information we collect, use, disclose, and sell about you.
RIGHT TO DELETE (§ 1798.105)
Right to request deletion of personal information we have collected, subject to certain exceptions.
RIGHT TO CORRECT (§ 1798.106)
Right to request correction of inaccurate personal information.
RIGHT TO OPT-OUT OF SALE OR SHARING (§ 1798.120)
We do NOT sell or share personal information as defined under CCPA/CPRA. If this changes, we will provide a "Do Not Sell or Share My Personal Information" mechanism.
RIGHT TO LIMIT USE OF SENSITIVE PERSONAL INFORMATION (§ 1798.121)
We use sensitive personal information (immigration-related data) only for the purpose of providing the Services you requested. No secondary use for advertising or profiling is conducted.
RIGHT TO NON-DISCRIMINATION (§ 1798.125)
We will not discriminate against you for exercising your CCPA/CPRA rights.
AUTHORIZED AGENT
You may designate an authorized agent to submit requests on your behalf. We will require verification of the agent's authority.
GPC SIGNAL
We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale/sharing under CCPA/CPRA.
SUBMIT REQUESTS
Email: dpo@gomigrant.ai
Response timeframe: Within 45 days (extendable by 45 days with notice).
23. YOUR RIGHTS — CANADA (PIPEDA & QUEBEC LAW 25)
PIPEDA (FEDERAL — ALL PROVINCES EXCEPT QC/AB/BC)
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:
• Access personal information we hold about you
• Challenge the accuracy and completeness of your information and request corrections
• Complain to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca
• Withdraw consent to collection, use, or disclosure (subject to legal limitations)
QUEBEC — LOI 25 (ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR)
Quebec residents have additional rights under Law 25, including:
• Right to know how personal information is being used in automated decision-making
• Right to contest automated decisions and have them reviewed by a human
• Right to data portability (computerized format)
• Enhanced deletion rights
• Mandatory Privacy Impact Assessment (PIA) for high-sensitivity processing
• 72-hour data breach notification obligation (applies to us)
• Right to lodge a complaint with the Commission d'accès à l'information (CAI): cai.gouv.qc.ca
LANGUAGE RIGHTS (QUEBEC BILL 96)
Services are available in French for Quebec users. French-language versions of key legal documents are provided or made available upon request as required by the Charter of the French Language.
PRIVACY IMPACT ASSESSMENT STATUS
We have conducted Privacy Impact Assessments for our high-risk data processing activities, including AI-assisted immigration profile analysis involving special category data. PIAs are reviewed annually and updated when material changes to processing occur. Results are available to the OPC, CAI, and applicable supervisory authorities upon reasonable request.
ALBERTA AND BC
Alberta (PIPA) and British Columbia (BC PIPA) residents have equivalent access and correction rights under their respective provincial privacy legislation. Submit requests to dpo@gomigrant.ai.
24. YOUR RIGHTS — TURKEY (KVKK)
Türk Kullanıcılar için — KVKK (6698 sayılı Kişisel Verilerin Korunması Kanunu)
Kişisel veri sahibi olarak aşağıdaki haklara sahipsiniz (Madde 11):
• Kişisel verilerinizin işlenip işlenmediğini öğrenme
• Kişisel verileriniz işlenmişse buna ilişkin bilgi talep etme
• Kişisel verilerinizin işlenme amacını ve bunların amacına uygun kullanılıp kullanılmadığını öğrenme
• Yurt içinde veya yurt dışında kişisel verilerinizin aktarıldığı üçüncü kişileri bilme
• Kişisel verilerinizin eksik veya yanlış işlenmiş olması hâlinde bunların düzeltilmesini isteme
• KVKK'nın 7. maddesinde öngörülen şartlar çerçevesinde kişisel verilerinizin silinmesini veya yok edilmesini isteme
• Verilerinizin işlenmesine itiraz etme
• Zarara uğramanız hâlinde zararın giderilmesini talep etme
KVKK kapsamındaki talepler için: dpo@gomigrant.ai
Kişisel Verileri Koruma Kurumu'na şikâyet hakkınız saklıdır: kvkk.gov.tr
Ayrıntılı KVKK Aydınlatma Metni için bu belgenin sonundaki bölüme bakınız.
25. YOUR RIGHTS — BRAZIL (LGPD)
For users in Brazil, the Lei Geral de Proteção de Dados Pessoais (LGPD — Law 13.709/2018) provides the following rights:
• Confirmation of processing and access to your personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or unlawfully processed data
• Data portability to another service provider
• Information about entities with whom data has been shared
• Information about the possibility of not providing consent and the consequences
• Withdrawal of consent at any time
• Review of decisions made solely by automated means
• Lodging a complaint with the Autoridade Nacional de Proteção de Dados (ANPD): gov.br/anpd
Legal basis for processing under LGPD: primarily consent (Art. 7(I)) for sensitive data, contract performance (Art. 7(V)) for service delivery, legitimate interest (Art. 7(IX)) for security and fraud prevention.
Submit requests to: dpo@gomigrant.ai
26. YOUR RIGHTS — AUSTRALIA, SINGAPORE & UAE
AUSTRALIA — PRIVACY ACT 1988 / AUSTRALIAN PRIVACY PRINCIPLES (APPs)
• APP 12: Right to access personal information we hold about you
• APP 13: Right to request correction of personal information
• Complaint process: Contact us first at dpo@gomigrant.ai; unresolved complaints may be referred to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
SINGAPORE — PERSONAL DATA PROTECTION ACT (PDPA)
• Right to access personal data we hold
• Right to correct personal data
• Right to withdraw consent (with notice; withdrawal may affect service availability)
• Complaints: Contact dpo@gomigrant.ai or the Personal Data Protection Commission (PDPC) at pdpc.gov.sg
UNITED ARAB EMIRATES — FEDERAL DECREE-LAW NO. 45 OF 2021 (PDPL)
• Right of access, correction, and erasure of personal data
• Right to object to processing
• Complaints: Contact dpo@gomigrant.ai or the UAE Data Office
Submit all rights requests to: dpo@gomigrant.ai
Response timeframe: Within the timeframe required by applicable law in your jurisdiction.
27. OTHER US STATE PRIVACY LAWS
Residents of the following US states have privacy rights materially equivalent to those described under CCPA/CPRA (Section 22), including rights to access, correct, delete, and opt out of sale or sharing of personal data:
• Virginia — Consumer Data Protection Act (VCDPA): Submit requests to dpo@gomigrant.ai
• Colorado — Colorado Privacy Act (CPA): Submit requests to dpo@gomigrant.ai; appeal rights available
• Connecticut — Connecticut Data Privacy Act (CTDPA): Submit requests to dpo@gomigrant.ai
• Utah — Utah Consumer Privacy Act (UCPA): Submit requests to dpo@gomigrant.ai
• Texas — Texas Data Privacy and Security Act (TDPSA, effective 2024): Submit requests to dpo@gomigrant.ai
• Oregon — Oregon Consumer Privacy Act (OCPA): Submit requests to dpo@gomigrant.ai
• Montana — Montana Consumer Data Privacy Act (CDPA): Submit requests to dpo@gomigrant.ai
• Iowa — Iowa Consumer Data Protection Act (CDPPA): Submit requests to dpo@gomigrant.ai
• Delaware — Delaware Personal Data Privacy Act (DPDPA): Submit requests to dpo@gomigrant.ai
• Tennessee — Tennessee Information Protection Act (TIPA): Submit requests to dpo@gomigrant.ai
• New Hampshire — New Hampshire Privacy Act (SB-255): Submit requests to dpo@gomigrant.ai
For all US state privacy requests: dpo@gomigrant.ai
We will respond within the timeframe required by applicable state law.
28. DATA BREACH NOTIFICATION
In the event of a personal data breach, we will:
GDPR (EU/EEA) — Article 33/34
• Notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
UK GDPR
• Follow equivalent ICO notification requirements within 72 hours
PIPEDA (Canada)
• Report breaches posing a real risk of significant harm (RROSH) to the Office of the Privacy Commissioner of Canada
• Notify affected individuals of RROSH breaches
QUEBEC LAW 25
• Report confidentiality incidents to the Commission d'accès à l'information within 72 hours where there is a risk of serious injury
• Notify affected individuals
US STATE LAWS
• Comply with applicable breach notification timeframes under California (72 hours to AG for 500+ residents), Texas (30 days), and equivalent state laws
PUBLIC INCIDENT PAGE
Security incidents of material scope are documented on our public security incident page at /security/incidents on our website.
WHAT WE WILL TELL YOU
Breach notifications will include, where known: the nature of the breach, categories and approximate number of individuals and records affected, likely consequences, and measures taken or proposed to address the breach.
29. APPLE PRIVACY NUTRITION LABEL MAPPING
For iOS App Store privacy disclosure purposes, the following data categories apply:
DATA LINKED TO YOU (account-based processing):
• Contact Info: Email address (account management)
• User Content: Profile data, immigration preferences (service delivery)
• Identifiers: Account ID, Sign In with Apple token (authentication)
• Usage Data: AI interaction logs, feature usage (service improvement)
• Diagnostics: Crash reports (platform reliability)
DATA NOT LINKED TO YOU:
• Diagnostics: Anonymized performance metrics
DATA NOT COLLECTED:
• Location (not collected)
• Browsing history (not collected)
• Advertising data / IDFA (not collected without ATT consent)
• Sensitive info used for tracking (not used for tracking)
• Health & fitness, financial info for tracking (not collected for these purposes)
• Contacts, SMS/email/messages (not collected)
• Search history (not collected beyond in-app search for service delivery)
TRACKING
We do NOT use your data to track you across third-party apps and websites for advertising purposes.
30. GOOGLE PLAY DATA SAFETY MAPPING
For Google Play Data Safety section compliance:
DATA SHARED WITH THIRD PARTIES
• Payment processors (Apple/Google/Stripe): billing metadata only
• AI providers (OpenAI, Anthropic): anonymized prompt processing
• Cloud providers (AWS/GCP): encrypted data storage
DATA COLLECTED BY THE APP
• Account info: Email address, encrypted password — Required, for account management
• App activity: AI interaction logs, feature usage — Required, for service improvement and abuse prevention
• App info and performance: Crash logs, diagnostics — Required, for platform reliability
DATA NOT COLLECTED
• Location — Not collected
• Photos/Videos — Not collected unless user uploads (in which case: user-initiated, not shared for advertising)
• Contacts — Not collected
• Device/other IDs for advertising — Not collected without consent
DATA SECURITY PRACTICES
• Data is encrypted in transit (TLS 1.2+)
• Data is encrypted at rest (AES-256)
• You can request data deletion through account settings or dpo@gomigrant.ai
• Independent security review is part of our compliance roadmap
AI-GENERATED CONTENT DISCLOSURE
All AI-generated responses within the app are labeled as AI-generated, an in-app feedback/flagging mechanism is provided, and no AI output is presented as authoritative legal advice.
31. THIRD-PARTY LINKS & GOVERNMENT SOURCES
The Services may contain links to official governmental websites, immigration agency portals, third-party immigration resources, and external informational references.
We are not responsible for the privacy practices, availability, accuracy, completeness, or legal compliance of third-party websites or services. Links to governmental sources are provided as a convenience for independent verification and do not constitute endorsement of those sources' content.
Users should independently review the privacy policies and terms of any third-party service they access through links in the platform. Official government websites may have their own data collection practices governed by public sector privacy laws.
32. CHANGES TO THIS POLICY
32.1 Material Changes
We will provide at least 30 days advance notice of material changes to this Privacy & AI Governance Framework via: email to your registered address; an in-app notification banner; and/or a notice on our website.
Material changes include: new data collection categories, new processing purposes, new third-party sharing, changes to retention periods, changes to transfer mechanisms, and changes to user rights procedures.
Where material changes require fresh consent (e.g., new processing based on consent), we will implement a re-consent mechanism before the new processing begins.
32.2 Non-Material Changes
Non-material clarifications (correcting errors, updating contact details, adding new language-specific rights sections that do not affect processing) may take effect on the stated effective date. Continued use of the Services constitutes acceptance.
32.3 Version History
A publicly accessible version history is maintained at /privacy/history on our website. Each version is dated and summarizes material changes from the prior version.
33. CONTACT, DPO & SUPERVISORY AUTHORITIES
DATA PROTECTION OFFICER (DPO)
Email: dpo@gomigrant.ai
Subject line: "Data Protection Request — [Your Request Type]"
GENERAL SUPPORT
Email: support@gomigrant.ai
COMPANY ADDRESS
EASE GLOBAL CONSULTANCY SERVICE INC.
Toronto, Ontario, Canada
EU/EEA SUPERVISORY AUTHORITY (interim contact)
EU users may contact their national Data Protection Authority.
List of EU DPAs: edpb.europa.eu/about-edpb/board/members_en
UK SUPERVISORY AUTHORITY
Information Commissioner's Office (ICO)
ico.org.uk | 0303 123 1113
CANADA — OFFICE OF THE PRIVACY COMMISSIONER
priv.gc.ca
QUEBEC — COMMISSION D'ACCÈS À L'INFORMATION
cai.gouv.qc.ca
TURKEY — KİŞİSEL VERİLERİ KORUMA KURUMU (KVKK)
kvkk.gov.tr
BRAZIL — AUTORIDADE NACIONAL DE PROTEÇÃO DE DADOS (ANPD)
gov.br/anpd
AUSTRALIA — OAIC
oaic.gov.au
SINGAPORE — PDPC
pdpc.gov.sg
34. KVKK AYDINLATMA METNİ (TURKISH DATA SUBJECT NOTICE)
6698 SAYILI KİŞİSEL VERİLERİN KORUNMASI KANUNU KAPSAMINDA AYDINLATMA METNİ
Veri Sorumlusu:
EASE GLOBAL CONSULTANCY SERVICE INC., Toronto, Ontario, Kanada
İletişim: dpo@gomigrant.ai
İşlenen Kişisel Veriler:
Ad, soyad, e-posta adresi, şifre (şifreli), uyruk, ikamet ülkesi, eğitim geçmişi, iş deneyimi, dil yeterliliği, medeni durum, aile bilgileri, göç tercihleri ve platformla gerçekleştirilen yapay zeka etkileşimleri.
Özel Nitelikli Kişisel Veriler:
Göç profilleri ırk/etnik köken, din, sağlık durumu veya siyasi görüşe ilişkin özel nitelikli veriler içerebilir. Bu veriler yalnızca açık rızanıza dayalı olarak ve vize/göç bilgi hizmeti sunma amacıyla işlenmektedir (KVKK Madde 6).
Kişisel Verilerin İşlenme Amacı:
• Yapay zeka destekli göç bilgi hizmetlerinin sunulması
• Kullanıcı hesabının yönetimi ve abonelik işlemleri
• Platform güvenliğinin sağlanması ve kötüye kullanımın önlenmesi
• Yasal yükümlülüklerin yerine getirilmesi
• Hizmet kalitesinin iyileştirilmesi (anonimleştirilmiş verilerle)
Hukuki Dayanak (KVKK Madde 5-6):
• Açık rıza (Madde 5/1 ve Madde 6/2)
• Sözleşmenin kurulması veya ifasıyla doğrudan ilgili olması (Madde 5/2-c)
• Veri sorumlusunun meşru menfaati (Madde 5/2-f) — güvenlik ve dolandırıcılık önleme
Verilerin Aktarıldığı Taraflar:
• Bulut altyapısı sağlayıcıları (AWS, GCP — Türkiye dışında)
• Yapay zeka model sağlayıcıları (OpenAI, Anthropic — Türkiye dışında)
• Ödeme işlemcileri (Apple, Google, Stripe)
Yurt Dışına Aktarım:
Kişisel verileriniz Türkiye dışında (Kanada, ABD ve diğer ülkeler) işlenmektedir. Yurt dışına aktarım, KVKK Madde 9 kapsamında gerekli güvenceler sağlanarak gerçekleştirilmektedir.
Saklama Süresi:
Hesap silinmesinden sonra 30 gün içinde profiliniz silinir. Fatura kayıtları 7 yıl, güvenlik logları 12 ay, yapay zeka etkileşim logları 90 gün saklanır.
KVKK Madde 11 Kapsamındaki Haklarınız:
Kişisel verilerinize erişme, düzeltme, silme veya yok etme talep etme, işlemeye itiraz etme ve zararın giderilmesini talep etme haklarınız mevcuttur.
Başvuru: dpo@gomigrant.ai
Kişisel Verileri Koruma Kurumu: kvkk.gov.tr
35. DPIA STATUS
DATA PROTECTION IMPACT ASSESSMENT (DPIA) STATUS
In accordance with GDPR Article 35, we have conducted Data Protection Impact Assessments for our high-risk processing activities, including:
• AI-assisted immigration profile analysis involving special category data
• Processing of uploaded immigration documents (passports, IDs, financial records)
• Automated scoring and pathway recommendation systems
Date of last DPIA: Q1 2026
Next scheduled review: Q1 2027 (or upon material changes to processing)
DPIAs are available to the competent supervisory authority upon reasonable request.
DPIA findings have informed our implementation of: explicit consent as the legal basis for special category data, heightened encryption and access controls for immigration document storage, 90-day retention limits for AI interaction logs, and human oversight requirements for all AI-generated assessments.
VERSION INFORMATION
Privacy & AI Governance Framework Version: 2.0
Effective Date: May 19, 2026
Last Updated: May 19, 2026
Change Log: /privacy/history
Data Controller:
EASE GLOBAL CONSULTANCY SERVICE INC.
Toronto, Ontario, Canada
dpo@gomigrant.ai
This document was prepared to satisfy requirements under: PIPEDA, Quebec Law 25, GDPR (EU & UK), EU AI Act, CCPA/CPRA, KVKK, LGPD, Australian Privacy Act, Singapore PDPA, UAE PDPL, Apple App Store Privacy Guidelines, and Google Play Data Safety requirements.